The runtime
enforcement
engine.
CerbiStream is the logging governance library that runs in-process inside your application. It intercepts every log event at emission time, evaluates your governance profile, and blocks or masks sensitive data before it reaches any downstream destination.
Application
Your service
Logs emitted normally via MEL, Serilog, or NLog. No call-site changes.
CerbiStream — In-Process
Runtime enforcement engine
JSON governance profile evaluated at emission time. Sensitive fields blocked or masked. Violations tagged.
Governed payload only
Clean, policy-compliant event
Redacted fields never enter your logging pipeline.
Your existing destinations
Governance without friction.
Sits between your logging framework and your logging destinations. No infrastructure changes. No call-site rewrites.
Works with MEL, Serilog, and NLog
Plugs into all three major logging frameworks as a native provider. No wrapper libraries. No new abstractions.
No call-site rewrites
Existing log statements are untouched. Governance enforced at the provider level — completely transparent to application code.
JSON governance profiles
Human-readable cerbi_governance.json files. Version-controlled with your code. No DSL to learn. No vendor lock-in.
Runtime enforcement before ingestion
Every log event evaluated at emission time — before it reaches Splunk, Datadog, Azure Monitor, or any other sink.
Build-time validation / CI support
Roslyn analyzer flags governance issues during standard dotnet build. Policy drift caught before it ships.
In-process, zero external calls
CerbiStream runs entirely inside your application process. No external relay, no additional network hops.
Blocks PHI, PII, secrets, and credentials
Forbidden fields are blocked or masked at emission. Schema violations are tagged. Nothing sensitive continues downstream.
Violation tagging and metadata
Every event carries governance metadata — profile applied, enforcement state, violations, score — for downstream traceability.
Explore CerbiStream
Built deeper than it looks.
CerbiStream is free on NuGet and a strong starting point for any service. Here is what is under the hood.
Runtime Governance
Policy evaluated at emission time, before any network call.
CerbiStream intercepts every log event inside your process. The governance profile is evaluated synchronously on the hot path with no external calls — your downstream destinations only receive clean, policy-compliant payloads.
Developers
- One-line setup in Program.cs
- Fluent API — no heavy config files
- Preset modes for local, test, and prod
- Safer defaults from day one
DevSecOps / Platform
- Works with your existing logger — no replacement
- Policy-controlled rollout per environment
- Queue and telemetry patterns supported
- Consistent behavior without pipeline rewrite
Engineering Leadership
- Easier adoption — no big migration
- Standardised logging across all services
- Strong greenfield starting point
- Realistic fit for brownfield systems too
One line. Full governance.
// Program.cs — one line of setup builder.Logging.AddCerbiStream(); // Or use preset modes: .EnableDeveloperMode() // Console on, queue off .ForProduction() // Queue on, telemetry on .ForTesting() // Console on, governance on // Override via environment variables: // CERBISTREAM_MODE=production // CERBISTREAM_CONSOLE_OUTPUT=true // CERBISTREAM_QUEUE_ENABLED=false
{
"Version": "1.0.0",
"LoggingProfiles": {
"production": {
"RequiredFields": [
"timestamp",
"message",
"correlationId"
],
"DisallowedFields": [
"ssn",
"creditCard",
"password"
],
"FieldSeverities": {
"password": "Forbidden"
}
}
}
}$ dotnet build ����� CerbiStream.GovernanceAnalyzer findings: [CS-GOV-001] Missing required field: correlationId [CS-GOV-002] Disallowed field detected: password (Diagnostics depend on your governance profile. Fail-fast in CI/CD before policy drift ships.)
Install via NuGet
dotnet add package CerbiStreamCerbiShield Integration
Connect to CerbiShield
CerbiStream handles governance at emission. CerbiShield is the dashboard that receives scores, tracks violations, and manages profiles across your services. Connecting the two requires three additional configuration lines.
builder.Logging.AddCerbiStream(options => options
.ForProduction()
.WithQueue("AzureServiceBus", "<your-connection-string>", "<your-queue-name>")
.WithGovernanceProfile("production")
.WithGovernanceChecks(true)
.WithApplicationIdentity("WebApi", "YourServiceType", "your-app-name")
.WithTenantId("<your-tenant-id>"));WithQueue()Sends governance scores to your CerbiShield Service Bus queue. The queue type, connection string, and queue name are available in the CerbiShield dashboard under Developer Setup.
WithGovernanceProfile()Must match a profile name defined in cerbi_governance.json and visible in the CerbiShield Rules section.
WithApplicationIdentity()Sets the app name visible in the CerbiShield dashboard. Parameters: applicationType, serviceType, appName.
WithTenantId()Required for governance scores to be attributed to your tenant. Found in your CerbiShield deployment details.
Zero-code option — environment variables
All options can be set via environment variables instead of code. Register with a single line and CerbiStream reads configuration from the environment at startup.
CERBISTREAM_MODE=production CERBISTREAM_QUEUE_ENABLED=true CERBISTREAM_QUEUE_TYPE=AzureServiceBus CERBISTREAM_QUEUE_CONNECTION=<your-connection-string> CERBISTREAM_QUEUE_NAME=<your-queue-name> CERBISTREAM_GOVERNANCE_ENABLED=true CERBISTREAM_GOVERNANCE_PROFILE=production CERBI_GOVERNANCE_PATH=/app/cerbi_governance.json
builder.Logging.AddCerbiStream(o => o.FromEnvironment());
CERBISTREAM_MODE values
developmentEnableDeveloperMode()Console output on, queue delivery off, governance on
productionForProduction()Console output off, queue delivery on, full telemetry
testingForTesting()Console output on, queue delivery off, governance on
performanceForPerformance()All enrichment disabled — minimal overhead
Supported queue providers
Governance config file
CerbiStream looks for cerbi_governance.json in your app's base directory at startup. If the file is missing a default is auto-generated, but you should provide your own so the profile name matches your deployment and you control which fields are protected. To use a custom path, set CERBI_GOVERNANCE_PATH.
{
"Version": "1.0",
"TenantId": "your-tenant-id",
"LoggingProfiles": {
"production": {
"DisallowedFields": [
"password",
"ssn",
"creditCard",
"secret",
"token",
"apiKey"
],
"FieldSeverities": {
"ssn": "Forbidden",
"creditCard": "Forbidden"
}
}
}
}The profile name here — production — must exactly match the value passed to WithGovernanceProfile() or CERBISTREAM_GOVERNANCE_PROFILE. A mismatch means CerbiShield receives events with no profile applied and governance scores will not appear in the dashboard.
Where do I find my connection string and queue name?
Log in to your CerbiShield dashboard and go to Admin → Developer Setup. The queue name and namespace are shown there. The connection string is retrieved from Azure Portal → your CerbiShield resource group → Service Bus Namespace → Shared access policies → RootManageSharedAccessKey → Primary Connection String.
Manage governance with CerbiShield
CerbiStream enforces policy in the application. CerbiShield is the dashboard that manages profiles, tracks violations, and controls deployments across environments.
Add governance to your logging stack in minutes.
CerbiStream is open source (MIT) and available on NuGet. Works with your existing stack. No pipeline migration.